Data Brokers

Subscribe to Data Brokers via RSS

Key point: Starting August 1, 2026, registered data brokers will need to access California’s new one-stop-shop deletion platform to process deletion requests or risk significant fines.

Last month, the California Office of Administrative Law (OAL) approved the California Privacy Protection Agency’s (CalPrivacy) regulations further implementing the Delete Act (SB 362). Effective January 1, 2026, the Delete Act makes several changes to California’s data broker law, including charging CalPrivacy with creating a new one-stop-shop for California residents to request that all registered data brokers delete their personal information. California residents can begin registering on January 1, 2026, and data brokers must process requests starting August 1, 2026. Failure to comply is subject to a $200 fine “for each deletion request for each day the data broker fails to delete information.”

In the below article, we provide a brief background on the Delete Act and summarize the new regulations.

Key point: This is the eighth fine CalPrivacy has issued against an entity for failing to register as a data broker and comes just days after CalPrivacy announced a new Data Broker Enforcement Strike Force and only months before fines will significantly increase under the California Delete Act.

On December 3, 2025, the California Privacy Protection Agency (CalPrivacy) announced its latest fine for an entity failing to register as a data broker under California’s Delete Act. This is the eighth time CalPrivacy has fined an entity for failing to register as a data broker. The agency issued four fines in both 2024 and 2025.

The $56,600 fine comes just days after CalPrivacy announced the formation of a Data Broker Enforcement Strike Force, portending even more (and significantly higher) fines against data brokers and unregistered data brokers. This is particularly notable given that the agency’s data broker regulations adopt a broader definition of what constitutes a data broker, which definition may encompass entities that do not traditionally consider themselves to be data brokers.

In the below article, we provide a brief overview of the enforcement action. We also discuss the broader context of data broker regulation in California, including the increased risks and requirements on data brokers in 2026.

Key point: The California Privacy Protection Agency’s announcement places even more scrutiny on the compliance practices of data brokers.

On November 19, 2025, the California Privacy Protection Agency (now calling itself CalPrivacy) announced the creation of a Data Broker Enforcement Strike Force. The stated goal of the strike force is to review the data broker “industry for compliance with the data broker registration requirement in the Delete Act, as well as for compliance with the state’s comprehensive privacy law, the California Consumer Privacy Act.” Announcing the launch, Michael Macko, CalPrivacy’s head of enforcement, stated “For decades, strike forces have been a mainstay at U.S. Attorney offices and state Attorney General offices across the United States. We intend to bring the same level of intensity to our investigations into the data broker industry.”

Key point: California lawmakers once again increase the disclosure and transparency requirements for registered data brokers.

On October 8, 2025, California Governor Newsom signed SB 361 into law. The bill amends California’s existing data broker registration law to require data brokers to provide significantly more disclosures regarding their processing activities when annually registering with the California Privacy Protection Agency (CPPA).

This amendment comes shortly after the CPPA board’s recent approval of amendments to the state’s data broker regulations to incorporate the 2023 Delete Act (SB 362), including the creation of an accessible deletion mechanism that data brokers will need to comply with starting in August 2026. Those regulations were filed with the Office of Administrative Law on September 26.

Given these developments, California data brokers will need to engage in additional compliance measures in the coming months. In the below article, we provide an overview of the changes made by SB 361.